[SpamCop.net - protecting the internet through technology]

[SpamCop-List] Re: Forged header causing spamcop not to report

Mike Easter MikeE at ster.invalid
Thu Oct 20 06:18:20 EDT 2005 

Scott wrote:
> I tried to report this mail.  It appears to have a forged Received
> header with an older date.  Spamcop won't allow the message to be
> reported because it's too old.
>
www.spamcop.net/sc?id=z817763553z45a42559e41589533bc126b3485d51eaz

  from hotmail.com ([65.54.187.181]) by mail.misonix.com
  from mail pickup service by hotmail.com
  from 196.1.178.27 by BAY18-DAV1.phx.gbl *timestamp 4d20h

This is a mailhosted parse.  Mailhosts are parsed differently from
nonmailhosteds and the age is determined differently.

This is the same item parsed by a non-mailhost:

http://www.spamcop.net/sc?id=z817766385z5e3b4e1b8111b3d0cb3f088c956aa642z

"Message is 7 hours old"

Report Spam to:
Re: 196.1.178.27 (Administrator of network where email originates)
   To: nomaster at devnull.spamcop.net (Notes)

<cancelled>

> Bug in the system?

I'm not 'smart enough' to know what a 'bug' is;  for the parser, I can
only put things in one end and see what comes out the other end -- like
a black box.

What I see of the black box's behavior;  for a nonmailhosted, the
timestamp of an item is determined by its first [from the top of the
parsing chain] good Received line's timestamp.  For your item, it used
the stamp of  last line of the chain I posted above.
BAY18-DAV1.phx.gbl line is stamped 4 days 20 hours before the next
hotmail line up the chain.

I'm not familiar with the type of hotmail headers in your spam.

What I have seen before looks like this:

  from hotmail.com (bay16-f22.bay16.hotmail.com [65.54.186.72]) by
ourserver.edu
  from mail pickup service by hotmail.com
  from 216.139.176.62 by by16fd.bay16.hotmail.msn.

and the phx.gbl and BAY16 parts appear in the msgid

Message-ID: <BAY16-F224F545916A2C1A5A8C5739DA80 at phx.gbl

So, the bottom line is that I don't know what is going on with hotmail
or why SC has such a different way of determining age for mailhost vs
non-mailhost.

The IP in the headers /is/ a hotmail output server.


-- 
Mike Easter
kibitzer, not SC admin

More information about the SpamCop-List mailing list